Skip to content

build(deps): bump actions/setup-go from 6 to 7#516

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/setup-go-7
Open

build(deps): bump actions/setup-go from 6 to 7#516
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/setup-go-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-go from 6 to 7.

Release notes

Sourced from actions/setup-go's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/setup-go@v6...v7.0.0

v6.5.0

What's Changed

Dependency update

New Contributors

Full Changelog: actions/setup-go@v6...v6.5.0

v6.4.0

What's Changed

Enhancement

Dependency update

Documentation update

New Contributors

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

What's Changed

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

What's Changed

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated CI/CD build infrastructure.

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6 to 7.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v6...v7)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 17, 2026
@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: c2ba27fd-fe08-4aae-8720-93687c0e502e

📥 Commits

Reviewing files that changed from the base of the PR and between 4fb0bb9 and 60f04f5.

📒 Files selected for processing (2)
  • .github/workflows/ci-build.yml
  • .github/workflows/verify-dependencies.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • codeready-toolchain/api (manual)
  • codeready-toolchain/toolchain-common (manual)
  • codeready-toolchain/host-operator (manual) → reviewed against open PR #1277 dependabot/github_actions/actions/setup-go-7 instead of the default branch
  • codeready-toolchain/toolchain-e2e (manual)
📜 Recent review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: Verify Dependencies
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/ci-build.yml

[error] 21-21: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

🔇 Additional comments (1)
.github/workflows/ci-build.yml (1)

21-21: 🔒 Security & Privacy

Verify cache trust boundaries in both workflows.

actions/setup-go@v7 retains default caching and saves caches after successful jobs. (github.com) GitHub documents cache poisoning as a risk when untrusted workflow content can write or influence caches later consumed by privileged workflows. (docs.github.com)

  • .github/workflows/ci-build.yml#L21-L21: verify triggers, checkout ref, and permissions; disable caching for any privileged untrusted-code path.
  • .github/workflows/verify-dependencies.yml#L17-L17: apply the same cache trust-boundary verification and mitigation.

Source: Linters/SAST tools


Walkthrough

Both GitHub Actions workflows update actions/setup-go from version 6 to version 7. No other workflow behavior or exported entities changes.

Changes

Go Actions Version Update

Layer / File(s) Summary
Update Go setup actions
.github/workflows/ci-build.yml, .github/workflows/verify-dependencies.yml
The CI build and dependency verification workflows now use actions/setup-go@v7.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested labels: ci

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description lacks the required 'Description' and 'Checks' sections from the template, including the yes/no questions. Add the template sections and answer all required checks, including make generate, cross-project impact, and any linked PRs.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the dependency bump from actions/setup-go v6 to v7.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/setup-go-7

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot added the ci Add or update CI/CD configuration label Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci Add or update CI/CD configuration dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant